SDN and NFV is the next phase of technology change which will help service provider to launch the services in single click. This is all about the programmability of the networks by using open source software defined network controller.

Pages

Sunday, November 30, 2008

Nov 29 15:02:46.765: OSPF: Mismatched hello parameters from 10.1.1.2Nov 29 15:02:46.765: OSPF: Dead R 40 C 40, Hello R 10 C 10, Mask R 255.255.255.252 C 255.255.255.0 Have you ever seen such type of debug messages with R and C values? Yesterday I was busy in doing some lab exercise & find the above logs in debugs. Then I analysed the logs carefully and conclude one thing about C and R value. C stands for local router & R stands for remote router. Above mentioned logs clearly depict that the subnet mask used by remote router is 255.255.255.252 and local router is 255.255.255.0. With addition to this they tell us about the dead and hello intervals of local and remote routers. By analysing the logs you can quickly come on to the conclusion regarding their problems in forming ospf adjacency. One picture is very much clear from the logs that the link used by router is not serial link because serial link never carries the subnet mask. In case of serial link subnet mask is always used by OSPF is 0.0.0.0.

Saturday, November 29, 2008

An unprecedented attack on Mumbai dated 26 November 2008 made by perpetual guys of age 20 – 25 years. The mission was planned in such manner so that it can go for long with maximum number of living being made dead. You will be weird to see such type nationalism post on service provider blog. Actually I am relating the Mumbai Issue with computer networks. We as Indian trying our level best to kill the terrorism from its roots but all in vein. Instead of killing terrorism we should march towards security. Still we are not learning from our mistakes and just because of this we are f*****. The same scenario is with computer network security; today we are not taking any type of precaution but what happens when attack comes on the network? Every time we face the problem and pledge that next time we will do our level best but after the completion of event we used to forget everything. Is this the right approach, “ask yourself”.If you want to see the approach then tries to learn from Nation Security Guard (NSG). The approach followed by them is really splendid. Why I am commenting on their approach because they make a plan first of their target and who can be affected with that. Target is militants in case of computer networks target is virus or hacker & civilians are affected in case of computer networks simple data packets will be affected. So NSG decided to go via roof instead of ground floor because they know that the militants sitting on top storey can fire them easily and civilians will be affected. The same when we the network is hacked or behaving like hell try to think like cool never do the things in hurry which creates mesh for you ahead. Another thing which we need to learn from NSG is patience. Why I am talking about patience because sometimes we lose our patience during network attacks & did the things blindly. So never do such type of mistakes during network attacks; tries to collect the data; I know at that time your network is on stake and you are stakeholder. But mind one thing if you are not able to get the roots, roots can be collected in terms of data then the same can be happened at any time and at time you will not have any work around. In this way may be a small problem will get in your nerves and let your network down for long or short time.One thing which I liked the most i.e. behaviour of politicians which was totally different. Instead of blaming to each other which they used to do but this time they come up as a single group and with one word need to save India. Really very realistic & patriotic approach. We as network operators or service providers need to follow the same approach instead of saying that my network is secure and I have nothing to do with other networks. Now the time has come we need to pull up the reins of security instead of fighting with terror or network attacks. If you checked the major incidents they happened just because of lack of security. So we need to design the security model in such a way so that the risk of terrorism or network attacks should be minimized. What we are facing today it is just because of our mistakes? At last I would like to say one thing never fight against terror always try to fight against security and get it implemented as soon as possible without losing our beloved ones or computer data.

Friday, November 28, 2008

Still I remember the day of 22nd February 2008 when I was asked to perform the summarization of only odd subnets in my CCIE lab. It seems a hard job in the first seen but you really enjoy when you come to know it’s actually not as hard as you are thinking of it. Before moving ahead you should be familiar with the concept of summarization.When we talk about the permission of odd or even subnets it means you have to create an acl in a smart way so that it must allow the only subnets which are not divisible by 2 for odd subnets or divisible by 2 for even subnets. Start playing with the binary.For example we want to allow only the given odd subnets in the acl. For this we require the network address as well as its subnet mask.10.1.0.0/2410.1.2.0/2410.1.4.0/2410.1.6.0/2410.1.8.0/24

First two octets & last octets are same so there is no need for compiling its binary. We need to play with the third octet only. Convert it to binary

Binary of 0 is 00000000 Binary of 2 is 00000010Binary of 4 is 00000100 Binary of 6 is 00000110 Binary of 8 is 00001000

Check the pattern of the first bit which is always set to 0. Here is the logic. It means for all even numbers the first bit will always be 0 & will be 1 in case of odd numbers. Now create the wild card mask put the 1’s where the bits are changing & rest will be as 0.Wild card mask 0,2,4,6,8 will be 00001110 which is equivalent to 14 Network is 10.1.0.0 & wildcard mask is 0.0.14.0.By doing same steps you can calculate the wildcard mask for odd subnets also.

Does this type of summary or acls required in real life scenario? May be the answer is no but I think it can be used where you are having two links and you can advertise the odd subnets from the one link and even subnets from the other link. But what will happen if a link goes down? When will you get the answer kindly reply to my post?

Thursday, November 27, 2008

We are getting protocol 73 in the ip cache flow and not able to conform what actually the protocol is meant for. After googling we come to know that it is a heartbeat protocol. But now question comes in mind what is heartbeat and why it is coming in l2tpv3. Actually it is the keepalive used by l2tpv3 for checking the remote destination whether it is dead or alive.SO if you are getting 73 in your cache flow no need to worry simply check whether you are running l2tpv3 or not.

Tuesday, November 25, 2008

FEC is forward equivalence class which means providing the same type of behaviour to reach the destination. What does the same behaviour means? Actually when the packet comes to router following steps need to be made for its forwardingStep 1:- Forward the packet to the same next-hop. It is like the same as in fast switching. (Fast switching uses interrupt based switching).Step 2:- Determine the outgoing interface & all packets should be forwarded out to the same interface. (Please check the Cef Load Balancing Problem)Step 3:- The same type of treatment should be given to all packets. Treatment means the queuing behaviour like fifo etc. The above steps will be performed at each and every hop of the router. No issue still the router is using the interrupt context switching (cache switching) but still it has to make the forwarding decision on the basics of the steps which requires lot of cpu processing.Now you know about the basics of FEC but it is the forwarding is same in case of MPLS. The answer is definitely no. Let’s check what happens in case of MPLS.In MPLS path is labelled switched. So when the packet enters the router the same above mentioned steps performed but at the next hop router only the packet is switched from one interface to another. It means the core is able to switch the packets and FEC will be performed at the ingress of the router. So the control plane will be at the PE router & forwarding plane at the core. Control plane of router should be kept in mind while desiging the edge routers.

Monday, November 24, 2008

At last I am able to configure dot1x authentication for wireless devices. My requirement is that if any user come on wireless he should be authenticated from microsoft active directory(ad) database. For implementing dot1x I have installed a microsoft active directory server with radius & dhcp. A switch was connected to server and wireless device. When ever the laptop or any pc request to connect the wireless network a logon windows screen prompt which asks for the username & passowrd with domain. On successful authentication user gets the ip address if it fails no ip is given.

Saturday, November 22, 2008

Hierarchical route reflector design is mainly used by mpls vpn sevice providers where they want to build the redundancy at every tier. For more explanation kindly download the document which cleary depicts the situtaion when hierarchical design is preffered over simple RR design.Click here to download

Friday, November 21, 2008

IntroductionThis document shows the impact of summary on loopback addresses in MPLS environment.

RequirementsPrior reading to this document you should be familiar with mpls vpn environment. The most important is to know about PHP & Double PHP

Understand the current topology

As shown in the figure 1 service provider is having tier three architecture

a)Tier one consists of core which will be participating only in area 0b)Tier two are directly connected with area 0 and local areac)Tier three is those which are connected to tier two not directly with tier 1. Tier three is only participating in local area.

The same model is using for all the locations. Every tier 2 has allocated a pool of /16 subnet. Why /16 so that summary can be performed for area 1 to area 0. By doing summary only single route will come in area 0 and no more flaps will participate in spf calculations. In the figure 1 PUNE is a tier two pop and aggregation of all the links which are coming from tier 3 or from local PUNE. A schematic ip pool of 10.1.0.0/16 is allocated to PUNE Provisioning team and further this pool is divided into 255 multiple networks of /24 like given below

10.1.1.0/2410.1.2.0/2410.1.3.0/24

Every /24 is allocated to each pop. 10.1.255.0/24 is reserved for loopback addresses & 10.1.253.0/24,10.1.252.0/24 & 10.1.252.0/24 is reserved for wan addresses.

Requirement of POP

a)OSPF as IGPb)MP-BGPc)Loopback addressd)Wan Addressese)Lan Addresses

With every /24 pool which is being given to every pop & a /32 ip address is given from 10.1.255.0/24 pool. When the routes are advertised to MP-BGP loopbacks of pop routers are used for next-hop. It means ldp is performing on loopback addresses.

Note:- That's why labels are always advertised for loopback addresses not for all the routes.

Performing Summary

Now the time has come to do the summary on PUNE routers so that the number of routes must decrease from the core. Prior to this everything is working fine. But as soon as the summary performs the whole PUNE vpn customers went into the dark. They are not able to access their VPN'S across country. What's the reason for this? Routes are learning properly, IGPs are reachable but what happen to vpn customers?

The reason for black hole

In my PHP post I cleared mentioned that the Penultimate Hop Popping will occur only for directly connected & summary routes. It means every router is giving implicit null to the adjacent router for its loopback address. In figure 1 T-PE2 is giving implicit null to T-PE1 for its loopback 10.1.255.2. It means when the packet destined to 10.1.255.2 will come to T-PE1 it will simply remove the upper label which is IGP label and forward the packet with vpn label. On reaching T-PE2 it will the vpn label which is getting from one of its interfaces and forwards the packets towards it.

Now what happened in case of summarization at ABR. On ABR summary is performed for 10.1.0.0/16 pool which also includes your loopback addresses. As soon as the summary announced on ABR, a implicit null was announced to the directly connected peers in area 0. When any of the packet has to reach to pune region from any of the other locations they know they are getting /16 pool from the PUNE ABR and packet is forwarded towards the destination. When the packet reaches to TIER 1 routers they know they are getting implicit null form PUNE router; It means they need to do the PHP. So they removed the IGP label and forward the packet with VPN label. When the packet reached to PUNE ABR and check the label which is actually a VPN label but that VPN is not attached to PUNE router consensus packet started drops.

Workaround

Either perform the summary for which excludes your loopback addresses. Second method is used all together different pool for ip addresses which will never participate in summarization.

Thursday, November 20, 2008

If you are working in a service provider network then might be facing a problem of links flapping whic are attached towards the cpe. A very common issue which is always being ignored many times. But during the log analysis we always a weired error of receiving bpdu which smaller cost and most of the time we hardly diagnose the probelm. So eventually one of my collegaue added a command callled spanning-tree bpdufilter enable. After adding the command the link flapping stopped. After that we analysed what happened after adding the command, why the link flaping stopped suddenly and as soon as we removed we get stucked into the same. Actually from clinet end superior bpdu are receiving by the switch port and due to which port may be going in block state. After adding the command whenevve the switch receives the bpdu from clinet end it sliently drops it and issue resolved smartly.So we finalize make a best practise of adding the command to every client facing interface.

Wednesday, November 19, 2008

Yesterday cisco started virtual summit on topic "You & Cisco:Succeeding with Managed Services" approx 167 people joined the conference across the globe. The main agenda of the conference was to launch the managed services. Cisco named it Cisco Powered Program. The defination of Cisco Powered Program states that they will dive into the market with their partners to provide manage services to the customers.It serves members in all aspects of the service lifecycle from launcing a service to market and sell it at last.Cisco’s expertise in creating network-based services, as well as the strong Cisco brand and its reputation among businesses, to launch and sell sophisticated and differentiated new services.The virtual summit is Efficacious way to deliver conference across the globe which feels like the same you are sitting in fromt of the speaker. I think they are using telepresence for the same. It was a good experience and you should join it once.

Tuesday, November 18, 2008

request you all be a part of cisco virtual summit which will be going to held today at 7:40 pm. So be sure to register your self and be its part. Its all about managed services. Enjoy and catch me there.

Today I am going to tell about wild card mask which is also known as WCM. WCM refers to what needs to be permit and denied. Its all about 0's & 1's. Remeber one logic which cleary states that 0 means match the same and 1 means donot care. What it exactly means if you are adding 0 in your WCM entry it means corresponding to that octet in network address will be matched and if you are using 1 then corresponding to that octet in network address will be permit. Simpley we can say it is like mirroring which which check corresponding to its bits in the octet and take the decision on the basics of 0's and 1's.

Let's clear it with the help of an example:-We need to permit the all host in network 192.168.1.0/24. For this we need to create an acl and wcm will be used here. It means we want first three octets i.e 192,168 & 1 remains the same and only last octet will be allowed to change. It means last octet can contains value starting from 0 to 255. Now create wcm for this

00000000.00000000.00000000.11111111

1st octet in wcm is having all zero, it will check its image in mirror and find 192 and it is not allowed to change,same is used for 2nd and 3rd octet. In the last octet all 1's are used and it will not check its image in mirror because everything is allowed in it. So at last you will be permitting 192.168.1.0,2,3,4,5.......and so on.

Monday, November 17, 2008

Have you ever think of that what will happen if you are not going to use loopbacks in your MPLS enviorment. The same has been tested in test lab and you will be stumbled across to see the results. Prior reading to this article kindly have a look on PHP first.

LSR-1 is getting imp-null from 10.1.1.6. It means IGP tag is removed here and packet will be forwarded with VPN tag only.In the above output we actually get the reason for not pinging. The reason is Penultimate Hop Popping (PHP). Actually LSR-1 is getting imp-null from LSR-2 because 10.1.1.8/30 is directly attached subnet. Because of PHP LSR-1 is removing IGP label before forwarding to LSR-2. So LSR-2 is receiving the packet with vpn label and it LFIB it is not able to get the label and subsequently packet drops at LSR-2. From figure 1 you can see the PHP is happening twice for 10.1.1.8/30 subnet because it is directly connected to LSR-2 & LER-2.After creating loopbacks PHP will take place only once and IGP label will be removed by LSR-2 and end to end ping will be achieved. Download Full Article

Saturday, November 15, 2008

All of you are might be aware of super backbone concept in mpls. No issue if you don't know I will let you in couple of words. As per super backbone concept service provider network will work as area 0 for customer links. It means for every vpn which is using OSPF as PE-CE routing protocol no need to configure area 0. Without introducing area 0 all links of the vpn can communicate with each other. This is all about super backbone concept. But what happens if customer will use area 0 in his network. So simply ask customer to extend area 0 till your PE but as per my experience none of the customer will do that. Consequently an immense problem can occur if customer will not extend the area 0 till PE.Click here to download the full solution.

Thursday, November 13, 2008

Multicast is one of the best service which will be going to spread enormously itself in next generation network. It means everyone will use videos or iptv at their end. This can be judged from the Bejing Olympic Games that how the multicast had been used to deliver the services to the end users and really cisco did a great job for this. From the stats I come to know that more than 9.9 million hours of video consumed through for Beijing Games which is approximately equivalent of 1126 years of video. Really a mammoth number. So be preparing with multicast if you are not. Here are some of the record-breaking NBCOlympics.com video traffic statistics:• Video Streams: 75.5 million for Beijing, 10.8 million for Athens and Torino Games combined• Unique Users: 51.9 million for Beijing, 25.2 million for Athens and Torino Games combined• Page Views: 1.24 billion for Beijing, 561.1 million for Athens and Torino Games combined• Hours of Video Streamed: 9.9 million hours of video consumed through for Beijing Games is the equivalent of 1,126 years of video. For more you can visit the link Click Here

Wednesday, November 12, 2008

Yesterday Cisco has launched ASR 9000 series routers for service provider network. For more you can view Cisco ASR As per Pankaj patel "There’s a lot to digest there, but in summary, I look at this as a great example of Cisco innovation - it took four years and more than two hundred people to design what our service provider customers need in anticipation of things to come. While Ira’s journey may be over, the journey of the Cisco ASR 9000 Series is just beginning. And the journey of Cisco, bringing innovative solutions to market to help us all achieve the infinite possibilities the network has to offer is still strongly and resolutely continuing."Cisco Systems unveiled a supercharged router called the ASR 9000, which is capable of moving 6.4 terabytes per second of traffic. The router is aimed at service providers with next-generation networks which plan to run bandwidth heavy services such as video, IPTV, mobile broadband, and more. With the explosion of Youtube videos, and other bandwidth-hungry apps, service providers are looking to stay ahead of the bandwidth demand curve. The ASR 9000 hopes to address that need with the ability to support the future "Zettabyte era". The ASR 9000 router is capable of transmitting data at a rate of 6.4 trillion bits per second, and it has 10 times the bandwidth capacity of Cisco's ASR 1000 router. The Cisco ASR 9000 Series also features a fully integrated timing infrastructure, allowing the routers to take in timing inputs (Synchronous Ethernet, Building Integrated Timing Supply [BITS], Data Over Cable Service Interface Specification [DOCSIS] Timing Interface [DTI] etc.) and distribute them over the backplane to each slot. This capability allows rich support for transparent mobile convergence; mobile Radio Access Network (RAN) backhaul; and Time-Division Multiplexing (TDM) circuit emulation, without sacrificing performance or scale.

Currently it is coming in two flavours 9006 & 9010. For datasheets kindly follow the download link

Tuesday, November 11, 2008

With reference to my last post on Interrupt Context Switching Vs Process Switching; I am explaining more on to the Interrupt Context Switching Mechanism which is being used by Fast Switching, Optimum Switching & CEF Switching. All the three mentioned switching techniques uses the cache. So you can see how the cache is used by the switching methods and becasue of that cache fact it is said that cisco uses interrupt context switching.

Fast SwitchingFast switching stores the forwarding information and MAC header rewrite string using a binary tree for quick lookup and reference. In Fast Switching, the reachability information is indicated by the existence of a node on the binary tree for the destination of the packet. The MAC header and outbound interface for each destination are stored as part of the node's information within the tree. The binary tree can actually have 32 levels. In order to search a binary tree, you simply start from the left (with the most significant digit) in the (binary) number you are looking for, and branch right or left in the tree based on that number. For instance, if you are looking for the information related to the number 4 in this tree, you would begin by branching right, because the first binary digit is 1. You would follow the tree down, comparing the next digit in the (binary) number, until you reach the end.

Optimum SwitchingOptimum switching stores the forwarding information and the MAC header rewrite information in a 256 way multiway tree (256 way mtree). Using an mtree reduces the number of steps which must be taken when looking up a prefix. Each octet is used to determine which of the 256 branches to take at each level of the tree, which means there are, at most, 4 lookups involved in finding any destination. For shorter prefix lengths, only one−three lookups may be required. The MAC header rewrite and output interface information are stored as part of the tree node.

CEF (Cisco Express Forwarding) SwitchingCisco Express Forwarding also uses a 256 way data structure to store forwarding and MAC header rewrite information, but it does not use a tree. Cisco Express Forwarding uses a trie, which means the actual information being searched for is not in the data structure; instead, the data is stored in a separate data structure, and the trie simply points to it. In other words, rather than storing the outbound interface and MAC header rewrite within the tree itself, Cisco Express Forwarding stores this information in a separate data structure called the adjacency table.

Monday, November 10, 2008

Process SwitchingProcess switching is the default switching technique used by all cisco routers and ios. According to process switching when the packet comes from media to the interface it will check the following steps given below:-1) Check the destination address in the routing table.2) Look for the recursive lookup or find the directly connected outgoing interface.3) Mac rewrite for the next hop.For every packet the same steps need to be followed which actually involves the cpu and lot of processing consequence diminish in performance.

Interrupt Context Switching This is also switching technique used by many cisco routers and ios. According to interrupt context switching a cache is maintained which stores the information of packet which comes first. After that if it finds the same packet credentials then instead of going to the processor it will go to the cache. From cache it gets it all the requirements and forwards the packet towards the destination. That’s why it is called fast switching; optimum switching and cef switching all are using interrupt context switching.Difference between process and interrupt context switching1) A cache is maintained in the interrupt context switching where as in process switching it follows all the steps mention above.2) Interrupt context switching is faster that process switching.3) Interrupt context switching uses destination based load balancing whereas process switching uses per packet based load balancing.

Saturday, November 8, 2008

In my post Why ospf vpnv4 routes look as external route explained that the problem can be overcome by changing the ospf instance id across all instances. But the same can be acheived by changing the domain-id also under ospf vrf instance. In MPLS enviornment the recieving PE will match the packets on the basics of domain id. If the domain id is different then PE thinks the packets are coming from the other domain and treats them as external routes which can be seen at customer end side. So by changing the domain id same on both PE it treats the packets are coming from its own domain and delivers them as inter area routes.

Friday, November 7, 2008

This document will show when customer run OSPF with PE in that case the routes advertised from one CE to another CE travelling MPLS backbone should be IA(Inter Area) routes but in some cases the routes could be external. MPLS backbone is working as trasparent to the customer, so for customer every route should be inter area route. But may be a day you get a call from your customer which is getting all its routes as external routes instead of inter area routes. I have tried to explain how the external route constraint can be removed by taking a simple precaution.

Thursday, November 6, 2008

What is PHP ?
PHP is penultimate hop popping which means remove the label one hop before its destination. In figure 1 LER-1 wants to reach on CPE lan for this it is getting route from LER-2 with its loopback as next-hop address. For loopback it will check the routing table lookup and reverse lookup will be performed. After that packet will be forwarded to the next router and same process will be followed till it reach LER-2. You can see the label exchange on LER-1 which is pushing a label of 17 and forwarding to LSR-1. LSR will swap the label with 20 and forward the packet to LSR-2. LSR-2 will swap the label with 21 and forward to LER-2. Now LER-2 will check this is the directly connected interface and label will be popped off and normail ip packet will be delivered.

Lets see in figure 2 what will happen in case of PHP. The packet will be forwarded to the next router and same process will be followed till it reach LER-2. You can see the label exchange on LER-1 which is pushing a label of 17 and forwarding to LSR-1. LSR will swap the label with 20 and forward the packet to LSR-2. Now LSR-2 will forward the packet by removing the label. When LER-2 will get the packet it has to do perform only ip lookup. This is case of directly connected interface.
But in case of VPN when the CPE routes will be forwarded a vpn label is also forwarded along with MP-BGP. So a packet consists of two labels one is vpn label and another is ip label. The top label of stack is always igp label and inner label is vpn label. So when PHP will perform on LSR-2 it wll remove the IGP label and forward the packet with vpn label. On LER-2 it wil check it is for my directly connected interface and vpn label will popped off and normail ip packet will be delivered to CPE.

Click Here For FWSM Architecture A big question of FWSM physical integration comes in mind how it is working without the existance of any physical port. Given figure which cleary reveals how blade is integrated with 7600/6500 chassis with 6 Gigabit Ether Channel. Blade consists of network proceeor 1A & Network processor 1B which are further connected to Network processor 2 and bus. NP1A & NP1B can handle upto 3 million packets per second. FWSM Code processor is a software based component which is responsible for layer 7 protocol inspection, neighbors adjacencies and maintains routing information. Traffic processed by NP1A & NP1B is known as fast path. Traffic processed by NP2 is considered the session management path and traffic processes by FWSM code processor is known as slow path.

Tuesday, November 4, 2008

Sometimes you may face the problem in which if you ping from R7 to R6 it works perfect but when you try to ping from R5 to R6 you may face drops. Whats the reason for that ? Do you know ? Needn’t worry about that I will let you know the reason behind this. Actually what happens when you ping from R7 the packets are process switched and then from R5 they are CEF switched because of cef switched by default it takes per destination based. So your packets always path either R5-R3 or R5-R1. Lets assume packets takes R5-R3 path and R5-R1 paths has some CRC errors etc. So in this case your packets will always follow R5-R3 path never R5-R1 and you find no more drops. But in latter case when you ping from R5 to R6, you always find drops because packets originated from R5 always process switched, so packets are always load balanced across both paths and you may drops becasue of this.You can check with the help of " show ip cef exact-route " command which will tell you which path is being taken by the packets.